基于SOINN的欠采样方法在网络入侵检测中的应用  被引量：5

作　　者：吴署光 王宏艳 王宇 温晓敏 李海滨 周尚辉 WU Shuguang;WANG Hongyan;WANG Yu;WEN Xiaomin;LI Haibin;ZHOU Shanghui(School of Space Information,Space Engineering University,Beijing 101400,China;Unit 32039 of PLA,Beijing 102300,China;Unit 93719 of PLA,Hohhot 010000,China;Unit 66242 of PLA,Xilin Gol 011216,China;Unit 95806 of PLA,Beijing 100076,China)

机构地区：[1]航天工程大学航天信息学院,北京101400 [2]中国人民解放军32039部队,北京102300 [3]中国人民解放军93719部队,内蒙古呼和浩特010000 [4]中国人民解放军66242部队,内蒙古锡林郭勒011216 [5]中国人民解放军95806部队,北京100076

出　　处：《现代电子技术》2022年第21期88-92,共5页Modern Electronics Technique

摘　　要：现实网络环境下,正常流量规模所占比例远大于异常流量,这将导致基于机器学习的网络入侵检测系统(NIDS)对于检测少量的异常样本时效果较差。对于该问题,提出一种基于自组织增量神经网络(SOINN)的欠采样方法。该方法首先将多数类正常样本输入SOINN,算法输出的少量样本继承了原始数据的分布特性,然后将平衡后的数据用于训练多种机器学习分类器,提高了分类器性能。由于SOINN采样率随着数据规模的增大而逐渐减小,提出一种分块采样的方法来确定采样后的数据规模。首先计算采样率,然后根据采样率确定分块的规模,最后把每一块的压缩数据进行拼接,形成最终的欠采样数据。实验结果表明,相比于其他欠采样方法,所提方法在决策树、K近邻和支持向量机三种分类器中均保持了较高的准确率和召回率。The proportion of normal flow is much larger than that of abnormal flow in real network environment.Such a situation will lead to less effective for the network intrusion detection system(NIDS)based on machine learning to detect a small number of abnormal samples.In view of this,an undersampling method based on self⁃organizing incremental neural network(SOINN)is proposed.In the method,most of relatively normal samples are input into SOINN,while a few samples output by the algorithm inherit the distribution characteristics of the original data.And then,the balanced data is used to train various machine learning classifiers to improve the classifier performance.Since the sampling rate of SOINN gradually decreases with the increase of data scale,a block sampling method is proposed to determine the size of the sampled data.In the method,the sampling rate is calculated first,and then the size of the blocks is determined according to the sampling rate.Finally,the compressed data of each block are spliced to form the final under⁃sampled data.The experimental results show that,in comparison with the other undersampling methods,the proposed method maintains high accuracy and recall rate in the three classifiers of decision tree,K⁃nearest neighbor(KNN)and support vector machine(SVM).

关 键 词：网络入侵检测 欠采样 采样率 分块采样 决策树 K近邻 支持向量机 

分 类 号：TN915.8-34[电子电信—通信与信息系统] TP18[电子电信—信息与通信工程]